As the financial systems have gone online, there is a dire need to implement a robust information security system in place. Here, the CEO of one of the Infotech entities from the banking industry provides his insights on the invaluable alliance of financial systems with cybersecurity.
What is the current cybersecurity status of the banks in India and around the world? What type of risks do the financial systems confront?
The risks in the banking sector are chiefly associated with those delivery channels that enable banking services. In contemporary times, customers rely more on the services provided via delivery channels than the branch personnel. Hence, cybersecurity becomes a fundamental necessity in safeguarding branchless banking.
What role does the government have in improving cybersecurity index of the financial sector?
Authorities in-charge must review the laws pertaining to cybersecurity on a regular basis, at least once in six months or annually. This requires reviewers to be up-to-date with the risks related to cybersecurity and consequently bring related amendments. Such reviewal practices help in overcoming the ambiguity in the law and prevent the offender from dodging the penalty. Thus, protecting financial institutes at stake.
In the context of financial systems, which are the best compliance standards?
First and foremost, it is essential to have the best cybersecurity practices in place. One is, of course, Vulnerability Assessment and Penetration Testing. Then, a robust cybersecurity framework supported by a security operations centre. There are many other practices like password protection, awareness training, multi-factor authentication, etc. Adherence to such practices is essential for every financial organisation.
Talking of compliance standards, such as ISO 9001 or ISO 27001, though they are acceptable standards they are not mandatory. Naturally, they become ornamental in value. That means though compliance standards are useful, tracing losses to the non-adherence of such compliance is rather difficult.
How far are the proactive measures taken up by banks effective in reducing the cyber attacks?
Proactive measures are invariably capable of reducing cyber attacks because they help in understanding risks from the business point of view. Unless you identify the risk and measure its impact, you cannot mitigate it.
What could be such proactive measures?
Suppose you are offering a product which is in the form of delivery channels. So you need to identify the risks involved in deploying that product, measure its impact, and then devise a plan to mitigate it. Usually, a bank has to identify who is the target customer and from where he/she is accessing the system. Whether the system is accessed from within the state, within the country or overseas? Then accordingly, the plugins have to be there with the application to prevent attacks. Before deploying proactive measures, banks must take note of the money involved and the number of transactions happening over a period of time.
ATM has reduced a lot of banking operations, but has increased challenges from the cybersecurity perspective. How to safeguard such banking operations that involve ATM?
Ultimately, ATM facilitates the withdrawal of cash. Such operations like cash withdrawal must enhance with the complementary innovations such as that of Micro ATM, which is a modified POS device. The chances of hacking the device are far less in such scenarios because the transaction happens in the presence of a person.
Every economy has to migrate from less cash to cashless. While moving from less cash to cashless, eventually, the ATMs have to be there. We at once cannot digitalise the payments. Cash has to be enabled. And if we complement it through such micro ATMs then to a certain extent, we can reduce the risks involved in ATMs.
What is the biggest risk hovering over the banking industry?
In contemporary times, the banking industry is technologically advanced. So technology poses the biggest risk. In 1988, when Basel Norms came in place, credit scams were considered as the only risk. Subsequently, they thought of the market and operational risks. Afterward, Basal III addressed liquidity risk. Suddenly henceforth, they discussed technology concerning cybersecurity.
How much of the budget would you allocate for a better cybersecurity framework?
It should be planned depending on the type of business, exposure of the delivery channels, etc.
Which collective efforts from the cybersecurity community can make the banking industry more secure?
The community must make efforts to make people aware of cybersecurity's best practices. Just issuing white papers won't serve the purpose. They have to demystify the ambiguous facts related to cybersecurity, in a language easy to comprehend by both common men as well as banking personnel.
Privacy is the new buzzword. How should businesses plan to secure customer privacy along with providing customer services and achieving business objectives?
Because the technology is advancing, privacy is the new buzzword. But banking is concerned about privacy ever since its inception. We always used to talk about privacy around customers' bank records. But, of course, there are wider connotations to privacy. Nowadays, privacy revolves around the entire profile of the customer and that personal information of the customer is far more important and valuable than the bank balance itself.
In case of a cybersecurity breach, what are the quick things that any bank should do? Does cyber insurance help?
If the security incident happened because of the unauthorised access to the system, cease the system. Other than that, a banker can do nothing. Usually, in such cases, a banker can act only if the incident is brought to the knowledge immediately. Otherwise, if the event has already passed by, then they can only do the postmortem of the incident.
Cyber insurance serves the same purpose as that of cybersecurity. You must be content about having an insurance policy, but when the actual calamity happens you do not know to what extent it would come to your rescue. Like cybersecurity, explain cyber insurance in a language easy to comprehend by common men.